FedRAMP Authorization
Current Authorization Status
GOVERN is on the FedRAMP authorization path targeting FedRAMP Moderate (Revision 5).
| Milestone | Status | Target Date |
|---|---|---|
| 3PAO engagement | Complete | Q3 2025 |
| Documentation package | In progress | Q2 2026 |
| SAP (Security Assessment Plan) | In progress | Q2 2026 |
| SAR (Security Assessment Report) | Scheduled | Q3 2026 |
| ATO sponsorship | In discussions | Q4 2026 |
| FedRAMP Authorization | Targeted | Q1 2027 |
Agency ATO Path
Federal agencies can use GOVERN under an Agency ATO while FedRAMP authorization is in progress. This is the standard path for agencies that need to deploy GOVERN before FedRAMP authorization is complete.
Agency ATO Steps
- Contact Archetypal AI Government —
federal@archetypal.ai - Receive documentation package:
- System Security Plan (SSP)
- Control Implementation Summary (CIS)
- Customer Responsibility Matrix (CRM)
- Penetration test report
- Vulnerability scan reports
- ISSO review — Your agency ISSO reviews the package
- 3PAO assessment (if required by your agency)
- AO authorization — Authorizing Official issues ATO
- Deploy with federal values overlay
Typical Agency ATO timeline: 30–90 days depending on agency process.
Control Implementation
GOVERN implements FedRAMP Moderate (800-53 Rev 5) controls across 20 control families.
High-Priority Control Families
| Family | Controls | GOVERN Implementation |
|---|---|---|
| Access Control (AC) | AC-2, AC-3, AC-17 | RBAC, CAC/PIV, session management |
| Audit & Accountability (AU) | AU-2, AU-9, AU-12 | Immutable audit log, SIEM integration |
| Configuration Management (CM) | CM-6, CM-7 | Hardened defaults, least function |
| Identification & Auth (IA) | IA-2, IA-5 | MFA required, PIV/CAC |
| System Protection (SC) | SC-8, SC-28 | TLS 1.2+, AES-256 encryption |
| System Integrity (SI) | SI-3, SI-10 | Input validation, malware protection |
Customer Responsibilities
The following controls are shared responsibility. The agency must implement:
- AC-2: Account management procedures
- IA-5: Credential management for CAC/PIV issuance
- PE-3: Physical access controls to infrastructure
- PS-4: Personnel termination procedures
Continuous Monitoring
GOVERN supports FedRAMP Continuous Monitoring requirements:
compliance: fedramp: continuousMonitoring: enabled: true scanFrequency: weekly reportFormat: oscal reportDestination: https://agency-isso.gov/govdash poa_m: autoCreate: true # Auto-create POA&M items for findingsMonthly vulnerability scan results and annual penetration test reports are provided to sponsoring agency ISSO.